Does traditional security risk assessment have a future in Information Security

The current information security standards still advocate the use of risk assessment in the prioritisation of security investments. However, prior research on the use of risk assessment methodologies in organisational security has shown that the use of the traditional monolithic risk assessment process described in the current risk management standard is simply not practical at the organisational level. This paper first examines the problems in performing a systematic risk assessment and then discusses the limitations of a traditional risk assessment. To address these limitations, this paper proposes splitting up the current monolithic risk assessment process. The result is an information security assessment framework that puts greater emphasis on situational awareness and allows for better decision making on the prioritization of security investments.

[1]  Atif Ahmad,et al.  Risk Management Standards - The Perception of Ease of Use , 2006 .

[2]  Pascal van Eck,et al.  Understanding and Specifying Information Security Needs to Support the Delivery of High Quality Security Services , 2007, The International Conference on Emerging Security Information, Systems, and Technologies (SECUREWARE 2007).

[3]  Tim Grant,et al.  Comparing OODA and Other Models as Operational View C2 Architecture , 2005 .

[4]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[5]  Mica R. Endsley,et al.  Toward a Theory of Situation Awareness in Dynamic Systems , 1995, Hum. Factors.

[6]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[7]  Patricia M. Norman Are your secrets safe? Knowledge protection in strategic alliances , 2001 .

[8]  Johnathan Coleman Assessing information security risk in healthcare organizations of different scale , 2004, CARS.

[9]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[10]  A. B. Ruighaver,et al.  Organisational security requirements : an agile approach to ubiquitous information security , 2008 .

[11]  Herbert J. Mattord,et al.  Principles of Information Security , 2004 .

[12]  Thomas Peltier,et al.  Information Technology: Code of Practice for Information Security Management , 2001 .

[13]  Peter Jarratt,et al.  RAMeX: a prototype expert system for computer security risk analysis and management , 1995, Comput. Secur..

[14]  Edward D. Lazowska,et al.  Cyber Security: A Crisis of Prioritization , 2005 .

[15]  Angelika Jaschob,et al.  IT-Grundschutz: Two-Tier Risk Assessment for a Higher Efficiency in IT Security Management , 2006, ISSE.

[16]  A. B. Ruighaver,et al.  Organisational security culture: Extending the end-user perspective , 2007, Comput. Secur..

[17]  Ab Ruighaver,et al.  Understanding organisational security culture , 2002 .